Pages

Thursday, May 26, 2011

In a cyberwar fought in an Internet-driven, overconnected world, things get turned upside down. The best offense is a defense. If a cyber-attacker disables your military command and control system, shuts down and catastrophically damages your power grid, makes your telecommunication system non-functional, and cripples your financial system, there isn’t much left to fight with.

Think of what the state of the country would be without these systems. Without power and telecommunications, there would be no logistic systems, supermarket shelves would be empty, credit cards wouldn’t work and money would be unavailable from ATM’s. Water would stop flowing to your home, and since gasoline would be unavailable from electric powered pumps, your car would not work. Among the other systems subject to attack: pipelines, sewage, and water supply. You get the idea.

If President Obama and the rest of our nation’s leaders aren’t actively implementing our cyber-defenses, they are implicitly planning to lose World War III.

For a long time I thought the idea of software designed to cause great physical damage to systems was fanciful. Then I came across a story in Thomas C. Reed’s 2004 book, At the Abyss: An Insider’s History of the Cold War. Reed was a former Secretary of the Air Force and told a story about a massive, three-kiloton explosion of a Soviet pipeline–the most massive non-nuclear explosion ever observed from outer space.

According to Reed, Russian agents stole software used to control the pipeline. As it happened, the CIA had anticipated the theft and deliberately programmed the software to go haywire. Sure enough, in 1982, when the Soviets deployed the stolen software, the pumps kepts pumping while valves were shut, producing pressure in excess of those the pipeline joints and welds could stand. The massive explosion soon followed.

I certainly hope there will never be a third world war, but I know there will be an increase in cyber-warfare, cyber-terrorism, cyber-crime, and cyber–vandalism. One only has to read the newspapers to be convinced that such incidents are on the rise.

In early 2007, Estonia came under cyber-assault. Estonia is one of the most Internet-dependent countries in the world. Ninety-six percent of its banking transactions are online. Citizens pay for parking using their cell phones. The attacks first targeted government sites and then were used to knock news sites offline. They culminated on May 10 when Hansabanka, the country’s largest bank, was forced to shut down its online operations shutting down ATM’s and severing the bank’s connections to the rest of the world.

South Korea has been attacked on numerous occasions. In 2009 a series of DDOS (Distributed Denial of Service) attacks were launched against government, news media, and financial web sites. More attacks occurred early this year. The April 12 attack paralyzed the Nonghyup Bank network for a week. The attacks were believed to have been originated by the North Koreans.

On April 19, 2011, Sony began investigating a cyber-attack that was a “very carefully planned, very professional, highly sophisticated criminal cyber-attack designed to steal personal and credit card information for illegal purposes.” Sony discovered that credit card data and email addresses had been stolen from 77 million user accounts. Further investigation revealed that information was stolen from another 24.6 million online gambling accounts.

These assaults take two general forms. The first are attacks from the outside and usually take the form of DDOS (Distributed Denial of Service) attacks. In these attacks, an unauthorized remote user seizes control of thousands of computers and orders these “zombies” to flood websites with millions of messages. The overloaded systems become saturated and can no longer carry out routine operations. This type of attack brought down the Hansabanka and Nonghyup Banks.

The second form of attack is far more dangerous. The attacker gets inside the system and seizes control of the system operation or disables the system. The attacker may plant a “logic bomb” that will wake up on command or at some time in the future and might erase the system or perform some function that will injure the system under its control.

Stuxnet is a worm that was introduced into the Siemens programmed logic controllers at the Natanz uranium enrichment facility in Iran. It is believed the worm rapidly cycled the centrifuges to 1410 cycles per second and then slammed on the brakes, slowing them to 2 cycles. The rapid deceleration tore centrifuges apart. The same type of logic controller is used in numerous SANDA (Supervisory Control and Data Acquisition) systems in nuclear power and chemical plants. In a nuclear plant, such a logic bomb could cause a meltdown.

It is also possible for an attacker to use software trap doors to seize control of a command and control system and cause it to issue orders. In this scenario, troops might be ordered to attack the wrong target.

We are planning to lose World War III because we are unwilling to aggressively confront the cyber-defense issue. Confronting it is inconvenient, costly, involves regulation, and gives the government a potential window into our private lives.

But in an overconnected Internet-driven world, we must think about our current systems differently.

Here’s the problem we face: The Internet was never designed to be secure. It was designed by academics to serve the needs of trusted colleagues. While it will be impossible to make any system no matter how carefully conceived entirely secure, it is inconceivable that the existing Internet and systems based on it can be made more than marginally secure. This is not to say that the security of these systems cannot be improved.

The current activity of cyber-criminals offers convincing evidence that existing systems can be easily penetrated, and many of those systems have already been compromised. Infected computers and portable memory devices may have already introduced malware to numerous existing systems. The structure of the Internet makes it virtually impossible to identify the source of a well-executed attack.

My guess is that we can improve existing systems enough so they can continue to serve the Public and Private system users but that the current system can never be made secure enough to protect Secure and Mission Critical systems.

It is critical that we protect to the highest degree possible our Mission Critical systems. Among them are military command and control systems, systems controlling financial networks and the transfer on money within the network, networks that control our electric power. And, to a lesser extent, we need to protect other systems as well.

A few suggestions: We should consider physically disconnecting our Mission Critical systems from external networks. We should consider requiring all major ISP’s (Internet Service Providers) to install the capability to do deep packet inspection. In the case of a DDOS attack, these systems could quarantine the packets used to barrage and choke Internet systems. And we should give regulatory agencies the power to impose certain standards for cyber-security on businesses.

Doing these things will be expensive and create many inefficiencies. Many businesses will oppose these actions. Liberals and conservatives alike will worry about the potential loss of privacy and government intrusion into our lives that could result from the abuse of information collected with deep packet inspection. But realistically, it is hard to see many businesses and utilities going to the trouble and inconvenience of taking these types of actions unless they are forced to do so.

In an Internet-driven, overconnected world, power has become asymmetric. Small groups can do immeasurable amounts of damage with relatively small efforts.

Right now our country is the most vulnerable and most tempting target for cyber-terrorists and criminals. We have a highly developed physical and commercial infrastructure that is heavily dependent on the Internet. We cannot function if the Internet is shut down.

North Korea is possibly the country best positioned to attack us. They can launch cyber-attacks but their national infrastructure is so primitive that there is nothing for a cyber-warrior to attack. Cyber-terrorist are in a similar position. They have no banks or power stations for us to disable.

Our Defense Department is probably in a position to launch the most devastating and comprehensive cyber-attacks of any nation. Unfortunately, those attacks will not do much to defend many of our important systems. Probably all of them are not secure enough to withstand a sophisticated assualt.

So let’s get on with building the type of offense an Internet-driven, overconnected world requires. The new rule for that environment is “The best offense is a superior defense.” Relying as we currently do on having the best offense is a plan for losing World War III. Let’s start playing defense.

Tuesday, May 24, 2011

It looks like an attack on the U.S. Chamber of Commerce website from hacktivist group Anonymous — scheduled for 8 p.m. eastern time Monday according to posts on online image board 4chan and news aggregator Reddit — passed without incident and the site is still online.
The attack was supposed to be part of a protest against anti-piracy legislation proposed in Congress called the “PROTECT IP” act — or “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property.” The hacktivist group said that the bill would allow the U.S. Government to force search engines and internet service providers to censor websites they do not like by saying it could cause copyright infringement. It wouldn’t be the first time Anonymous has taken up a political cause as the group attacked Visa and Bank of America for trying to cut off Wikileaks founder Julian Assange.
The U.S. Chamber of Commerce’s website is still humming and shows no sign of slowing down. The site loaded in a few seconds around the time the attack took place and it still only takes just a few seconds to load as of 11 p.m. pacific time. It looks like Anonymous was not able to rally enough of an attacking force to bring the site offline with a distributed denial of service (DDoS) attack using a program called the “low-orbit ion cannon.”
The “attack” wasn’t necessarily a failure — but it just shows how divisive and amorphous hacktivist group Anonymous can be. While a number of online activists frequently claim leadership over the hacking group and release missives and press releases, it can be difficult to rally the online hackers toward a cause. It’s usually politically motivated, like when the hacktivist group brought attacked Sony after the company tried to sue a hacker for “jailbreaking” a PlayStation 3 console.
Anonymous is a murky name sweepingly applied to hackers who frequent online forums like 4chan and other news aggregators that have undertaken some of the larger political causes. But because it isn’t an official organization, it’s hard to place any faces or names to the hacktivist group and it can, at times, be a very loose organization. There are also a few reports that hackers within the quasi-group Anonymous are starting to attack each other over how the PlayStation Network attacks and responses were handled.
Sony laid indirect blame for its online gaming network, the PlayStation Network (PSN), downtime on Anonymous, which typically rallies a group of loosely connected hackers under moral or political banners to take down large companies. The company said its defenses were weakened while it was fending off DDoS attacks from Anonymous, giving hackers an opportunity to break in. Anonymous has denied that it was involved in breaking into and bringing down the PSN.

Crooks using online games to farm virtual currencies that they can sell for real money have turned internet spaceship game Eve Online into a battlefield for botnets.
Eve Online is home to various rival groups who generate in-game currency for gamers who want to join in without spending their time acquiring experience and resources by working their way up from the bottom. Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls. Game servers have taken a hit in the process.
Gold farmers are known for using Trojans to gain control of compromised accounts. The Eve Online baddies have taken a different tack through attacks that swamp forums with junk traffic

Chris Boyd, a senior threat researcher at GFI Software and gaming security experts, said that Eve Online's difficulties are a part of wider problems in virtual worlds.
"Gold farmers can cause the price of in-world items to rise, chat channels can be flooded by sale scams, endless bots and automated processes can cause significant server load," Boyd told El Reg. "That's before you get to the problems creating by phishing, hacking and scamming established and profitable accounts."
Boyd (AKA paperghost) agreed that the miscreants on Eve Online are taking it up to 11.
"The idea that there are effectively dead systems filled with nothing but spambots and hostile empires that are happy to do battle outside of their gaming realm by DDoS'ing websites and making prank phonecalls is a fascinating insight into the troubles plaguing virtual worlds, and real world currency having a marked impact on virtual trading makes this a few steps above dedicated DDoS botnets designed for nothing other than kicking console gamers out of Halo 3 sessions."
Various groups rumoured to be working out of Eastern Europe and Russia are said to be offering in-game currency for real money. "Investigations by the owners of the game have caused several leaders of these alliances to be banned in the past," explained Reg reader Patrick, who was the first to tell us of the hive of villainy within Eve Online.

Cybercrime is any crime involving a computer or a network and cybercrime has increased significantly in the past decade. Most organizations value employees that have an understanding of IT security risks, and many organizations require employees to have specific security certifications. This article provides an overview of various types of cyber crime, including cyber extorsion, botnets, morophing malware, and online fraud.

Cybercrime is broadly defined as any crime involving a computer or a network. In the last decade, the amount of cybercrime has grown substantially resulting in significant losses to businesses, and lining the pockets of criminals. This article presents some information about some of the common cybercrime activities and it helps emphasize the value of IT security for any organization.
It also helps to emphasize the value organizations place on employees with IT security awareness. The (ISC)2 CISSP has become one of the top IT security certifications and many organizations seek employees with this certification for both IT jobs and managerial positions. Lower level security certifications such as CompTIA’s Security+ and the (ISC)2 SSCP are also valued by organizations. For example, the U.S. Department of Defense requires anyone with an administrative account to have at least a Security+ certification.

Cyber Extortion

In high-crime areas, extortionists have demanded payments from businesses for “protection.” If the businesses refused, the business was attacked, robbed, employees harassed, and in extreme cases, the business was burned. Of course, the extortionists actually attacked the businesses when the protection money wasn’t paid.
Extortion has made it to the cyber community. Attackers use distributed denial of service (DDoS) attacks to show they can cripple Websites and corporate networks. They then demand protection payments to stop the attacks. Ron Lepofsky wrote in 2006 that the U.S. and FBI receive at least 20 new cases of cyber extortion a month. Blackmailers use various types of denial of service attacks to cripple Websites and corporate networks. They then demand protection payments to restore the service. Extortionists have demanded ransoms of more than 1 million dollars to stop the attacks. Some companies quietly pay. Others attempt to fight back.
A smaller form of cyber extortion is in the form of rogueware, or fake antivirus software. A user visits a Website and sees a popup indicating their system is infected, and encouraging them to download free software to clean their system. After the user downloads and installs the software, the rogueware reports several serious infections, but then states that the free version only scans the system, but won’t clean it. If they want to clean their system, they must pay between $49.95 and $79.95 for the full version. PandaLabs reported in 2008 that criminals were extorting approximately $34 million dollars a month from unsuspecting users. While this is bad enough in itself, the rogueware provides zero protection against actual malware, leaving the user with a false sense of security.
Additionally, many rogueware criminals include additional malware in the rogueware. For example, an added keystroke logger can capture a user’s keystrokes (such as capturing passwords for online banking accounts) and periodically send the data to the criminal. Many versions also include software to convert the computer into a zombie as part of a botnet.

Botnets

Botnets have grown to astronomical proportions over the past few years, and despite some successes, they’re still stealing money from people every day. As an example, NBC reported in 2004 how a small business in Miami was attacked. Specifically, their computer was infected with the CoreFlood virus (used in the COREFLOOD botnet) and someone transferred $90K out of their Bank of America account without their authorization to a bank in Latvia. Before this, the COREFLOOD botnet was primarily known for DDoS attacks.
Other losses from the COREFLOOD botnet include $115K from a real estate company in Michigan, $78K from a law firm in South Carolina, $151K from an investment company in North Carolina. The list goes on and on. Don’t think they’re only attacking businesses though. It’s just that when an individual’s $1,000 in savings is stolen, it isn’t as newsworthy as a loss of tens of thousands of dollars. Still, the loss of $1,000 by an individual can be devastating.
Interestingly, a report in June 2008 by Joe Stewart (Director of Malware Research, Dell SecureWorks) showed this same botnet was still in operation and the bot herders had shifted their activities from DDoS attacks, to full-fledged bank fraud. After all, they found they could get quick paydays with much less effort. At that time, they had infected over 378,000 computers and had at least one database with over 50 Gigabytes of data on hapless users around the world. The botnet had captured keystrokes and recorded bank passwords, credit card data, email passwords, social network passwords, and more.
As of February 2010, this botnet had grown to over 2.3 million infected computers with 1.8 million of the computers in the United States. Thankfully, the U. S. Department of Justice took several steps in April 2011 to take over the botnet’s command and control servers and may have succeeded in shutting this botnet down. We’ll see.
The point is botnets are thriving. Even though experts are shutting down some of the large botnets, it’s like a game of whack-a-mole. They keep popping up. In years past, malware was used to cause damage to systems such as corrupting a hard drive or system files. Today, malware is a tool often used by criminals to steal identities and hard cash from regular people just like you and me.

Morphing Malware

Malware is increasingly difficult to detect, mostly because attackers are constantly developing new methods and strategies. One common method used today is polymorphism. Malicious code within a single virus can be run through a mutation engine to create thousands of different versions of the same virus. While one version may be detected by a malware detection signature, thousands of other mutations may get past this signature until another signature is developed to detect the mutated versions.
At one point, it was recommended that you update your antivirus definitions on a weekly basis. Some experts now suggest you update it hourly. Malware vendors are constantly working on detecting new variants, updating signature files, and publishing them.
It’s also worth noting that all antivirus (AV) software is not created equal. Virus Bulletin publishes a monthly report on the effectiveness of AV products that is quite enlightening. You may think that malware products can consistently detect close to 100 percent of malware in the wild, but that is not the case. For example, this graph shows a wide scattering of products in the 60 percent to 80 percent effectiveness ranges. This equates to a grade somewhere between a B and a D. For me, I don’t want the D student protecting my bank accounts and identity.
It’s also worth pointing out that criminals have discovered the power of malware when used effectively for criminal activities. While malware was previously used to take down systems or networks just for the fun of it, criminals don’t do that today. Instead, criminals use malware to enlist zombies into their huge botnets. These zombies then engage in activities allowing the criminals to steal money from people and organizations on a grand scale.

Zero Day Vulnerabilities

Zero day vulnerabilities are those that are known to attackers, but either not known to the vendor, or the vendor has not developed and released a fix yet. While this implies that a zero day vulnerability lasts only a single day, it can actually last months before a fix is written, tested, and released.
In other words, even if you are taking steps such as keeping a system up-to-date, running AV software, and regularly updating signature files, you are still at risk from zero day vulnerabilities. Defense-in-depth procedures within an organization include a variety of other security practices to protect systems and networks to help protect them from zero day vulnerabilities.

Online Fraud

Cybersource publishes an annual fraud report on online fraud. Online fraud is fraud occurring through the Internet, such as charges on stolen credit cards, and chargebacks required by a credit card’s issuing bank. In the 2011 Online Fraud Report, Cybersource reported that losses from online fraud was about 2.7 billion dollars in 2010.
The good news is that online fraud appears to be declining. Online revenue losses due to fraud were estimated at 3.3 billion in 2009 and a peak of 4 billion in 2008. While this may look like criminals are trying less, that’s not actually the case. Instead online retailers have dedicated more and more resources to blocking cybercrime and are enjoying some success. That is if you want to call an annual loss of 2.7 billion dollars a success.

Conclusion

If you’re studying IT security certifications (such as CompTIA Security+, or the (ISC)2 SSCP or CISSP), expect your skills and your knowledge to be in high demand. Organizations using computers, and especially organizations with an online presence, are recognizing the risks to IT systems and networks. More and more organizations value individuals that understand these risks.

Wednesday, May 18, 2011

Distributed denial of service (DDoS) attacks are an increasing concern for organizations large and small, according to new survey results out released from the Interop computer networking show. Among the findings: organizations reported that they've been unable to keep up with attacks that have plagued them more frequently over the past year, according to the survey, commissioned by Symantec's VeriSign and conducted by Merrill Research. Researchers polled 225 IT decision makers. Security remains a top concern in organizations, as IT professionals struggle to keep up with the mounting threat. Here's a look at the results.

78 percent of respondents reported that they are extremely or very concerned about DDoS attacks.

67 percent say that they expect the frequency and strength of denial of service attacks to increase or stay the same over the next two years.

Close to two-thirds of respondents who experienced a DDoS attack in the past year said they sustained more than one attack.

11 percent said they had experienced six or more DDoS attacks in the past year.

60 percent of the respondents rely on their web sites for at least 25 percent of their annual revenue.

53 percent of the respondents said they experienced downtime in the past year, with DDoS attacks accounting for one-third ? 33 percent of all downtime incidents.

More than two-thirds said their downtime impacted customers and half reported they lost revenue.

87 percent of IT pros believe that DDoS protection is very important for maintaining availability of websites and services.

71 percent of respondents who don’t have DDoS protection said they plan to implement a solution in the next year.

40 percent plan to outsource their DDoS protection, 31 percent plan to implement an in-house solution, and 29 percent are still undecided on their approach for protection.

A potential DDoS attack on Heroku, the Ruby platform-as-a-service provider now owned by Salesforce.com, is creating availability issues for its customers.

The problems started on Monday when Heroku reported that a small number of users, primarily those that point a root domain to Heroku via static Internet Protocol addresses, were getting connection errors.
Via its status page, Heroku later told customers that it was working closely with its network service provider to mitigate availability issues coming from what it believed was a distributed denial-of-service attack. "The current attack protection procedures have reduced the effects of this attack to intermittent issues," according to the status page.
Heroku did not reply to a request for further information.
Affected customers took to Twitter with their complaints. "The current @heroku issue has screwed me in a pretty emphatic way. Deeply unhappy about it," one user, John Barnette, wrote on Twitter.
The company Loqize.me, which uses Heroku and is having some issues, advised customers via Twitter to try reloading if they are unable to access the site. Another company, Rexly, apologized to customers having trouble using its service due to Heroku's "hiccups." NationBuilder.com also warned users about issues related to Heroku's service.
Heroku's problems follow other high-profile cloud outages that are making some people worry about the reliability of cloud services. Amazon Web Services suffered a sustained outage recently and Microsoft's hosted Exchange service was down in the Americas for several hours on multiple occasions last week.
One user vented his frustrations over being affected by both the Heroku problems and an apparent problem at SendGrid, an e-mail service. "Between @heroku and @SendGrid flaking on me today, I'm pretty upset. I pay these companies so I don't have to worry about this stuff," Lail Brown complained on Twitter.

Thursday, May 12, 2011

A "splinter group" has reportedly taken control of two websites that host hacker group Anonymous' primary communications channels in an attempt to decentralize the group.

Anonymous, the hacktivist group whose members were recently accused of conducting a massive breach of Sony’s PlayStation Network, appears to be coming apart at the seams following a “coup d’etat” takeover of the group’s primary communications network.
According to website Thinq_, a “splinter group” has seized control of two websites used by Anonymous to organize their various distributed denial of service (DDoS) attacks against their corporate and geopolitical enemies. Those site are AnonOps.net and AnonOps.ru, both of which host the Internet relay chat (IRC) channels used by Anonymous members.
A member of the AnonOps network staff, who goes by the name “Ryan,” tells Thinq_ that he and a number of other disaffected Anonymous members seized control of the sites because they believed the group had become too centralized. They also accuse some members of “behind-the-scenes string-pulling” that allowed these Anons to assume leadership positions in the previously headless organization.
Before now, it has been widely stated that Anonymous has no central leadership, a tactic used to limit the ability of law enforcement (or anyone else, for that matter) from discovering Anonymous members’ real identities, or infiltrating their operations. This, says Ryan, is “bullshit.” In fact, he says, there are ten users that make all the decisions during a DDoS campaign, which is done in a single IRC channel.
“There is a hierarchy. All the power, all the DDoS – it’s in that channel,” he says.
To further make his point, Ryan leaked the IP addresses of more than 650 AnonOps users to the Internet — a move he says was “regrettable but necessary” to prove that their system for organizing attacks was insecure, and promote the idea that Anonymous must decentralize to survive.
The Anonymous members that Ryan says act as puppet masters for the group firmly refute his claims, and insists that it is Ryan, not they, who has gone off the deep end.
“[Ryan] accuses us of trying to control Anonymous from behind the scenes,” one Anon told Thinq_. “In fact, the channel he refers to was for chat moderation and he himself was part of it.”
The group says that Ryan — who is allegedly behind the controversial transformation of Encyclopedia Dramatica into ‘Oh Internet’ — is threatening to use an 800,000-computer-strong botnet (a group of computers taken over by hackers) to attack AnonOps, if they are able to take back the site from the splinter group. They also called Ryan “dangerous,” prone to “outbursts,” and “arrogant and narcissistic.”
“We all knew Ryan was dangerous,” said one Anon. “Just how dangerous nobody was quite sure. He has always had little outbursts. We knew one day there would be a massive one, but we were never sure when.”